Uploaded image for project: 'WildFly Common'
  1. WildFly Common
  2. WFCOM-66

New XML Factories with Restriction of XML External Entity Reference (XXE)

    XMLWordPrintable

Details

    • Enhancement
    • Status: Resolved (View Workflow)
    • Major
    • Resolution: Done
    • 1.5.3.Final
    • 1.6.0.Final
    • None

    Description

      As discussed on Zulip multiple modules inside WildFly-Core, WildFly and maybe other components shall prevent from XXE. Currently some codepoints use a native javax.xml.parsers.DocumentBuilderFactory or javax.xml.stream.XMLInputFactory. Restriction of XML External Entity Reference is lacking.

      Fix:

      • Provide factories setting secure defaults (here)
      • Use the new factories at relevant places WFCORE-5594

      Related to:

      The approach is to try to set/activate the relevant properties and log a warning if the underlying Factory does not support the property. The log shall appear only once (per classloader).

      Attachments

        Issue Links

          Activity

            People

              Unassigned Unassigned
              xf01213 Boris Unckel (Inactive)
              Votes:
              1 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: